Given the strategic importance of cyber security, a reactive approach to tackling the risk of a cyber threat is no longer sustainable. Bringing the debate into the Boardroom offers the opportunity to develop an insights-based, risk-focused, and predictive strategy for managing cyber risk.
It is often said that in a world where everything is interconnected, data is the new currency. The rapid pace of technological change over recent years has blurred the traditional boundaries of organisations and their information systems and, in virtually every market, success can only be achieved through working alongside multiple third parties. In light of some recent and high profile cases, the very clear risk to organisations is losing control of essential data and systems which are critical to safeguarding the company and its strategic goals. As networks continue to expand, cybercrime has grown in scale and sophistication, and the stakes are higher than ever before.
A recent survey by KPMG found that many organisations lack the proper insights, both in terms of external threats and what's at stake for their organisations. This represents not just a serious impediment to the proper management of risks but extends into areas such as loss of data or damage to systems as well as the potential loss of investor and consumer confidence. Such reputational damage could have far-reaching consequences for many organisations and is one of the reasons why the issue needs to be moved into the Boardroom.
Surprisingly, the KPMG survey found that 53% of executives believe their organisation is able to detect ongoing cyber attacks. However, just 53% state that the Board considers cyber security a technical issue and 59% are not convinced or do not know whether their service providers understand how to defend against cyber attacks.
The threat to investment is real. A further KPMG survey of global institutional investors found that 79% of investors would be discouraged from investing in a business that has been hacked and that they believe less than half of the Boards of the companies they currently invest in have adequate skills to manage cyber risk. In addition, they believe that 43% of board members do not have the skills and knowledge to manage innovation and risk in the digital world.
Information processes about threats, risks and solutions tend to be dominated by technological buzz words. The combined effect of this contributes to a sense of mystery around what cyber security means for senior management and can cause confusion. Many senior decision makers struggle to grasp what is really going on and decoding the lingo of the security industry is essential in making them understand what is and what can be at stake. To effectively deal with the issue of cyber crime, we must place more focus on the potential pitfalls and technical specialists should not dominate the field.
Furthermore, companies appear to struggle when measuring the return on security investments with 39% of respondents not monitoring the aggregate damage, direct and indirect, of a cyber attack. Among large enterprises, this figure is even higher with 50% of respondents having no insights into the damage.
A cyber security strategy should be a cost-effective control of the cyber environment and should address the tangible domains of people, processes and technology. The best way to do so is to put the user experience - not the technology - at the centre of the approach. Cyber security is not about tools and technologies; it is about people using those tools and technologies in a user-friendly, natural way. Professionals working in the security domain have a responsibility here: they should not focus solely on the technology. The skills to communicate about the issue in a broader sense in terms of people, processes and technology are essential.
Cyber security concerns all employees in an organisation and should not be delegated to a group of specialists. It is an attitude, not a department and to drive and maintain awareness, the right tone at the top is equally important. People often think of cyber attacks as arising from outsiders hacking in. But it is a much broader issue than that. It can be internal or external, data is stored on many different portable media and devices and security can be compromised either accidentally or intentionally.
There are a number of steps organisations can take to prepare for and mitigate these risks. The first relates to governance. There needs to be a governance strategy around security and incident management - who is responsible for it and what are the reporting protocols. They also need to establish a firm-wide cyber risk management framework that has adequate scope for staffing and budget. After that the risks to be avoided, accept, mitigated, or transferred need to be identified and specific plans associated with each approach put in place. In summary, boards need to consider the following to be cyber secure:
With the pace of technological change and the increasing range of devices creating new points of attack all the time, there is no guarantee that any strategy will be totally effective. However, if an organisation has the right processes in place, they will know when they have been attacked and when data has been compromised and will be able to respond to that. Ultimately, all organisations can do is have the right governance, strategies and processes in place to ensure that they keep pace with the changes and are able to respond to attacks and deal with any security issues whenever they might arise. They also need to demonstrate to investors and customers that they are taking it seriously and this means boards elevating cyber risks higher up on the agenda and investing more time on it.
This article first appeared in Irish Compliance Quarterly and is reproduced here with their kind permission.